Dive Brief:

• More than 6,500 individuals took part in the North American Electric Reliability Corporation's biennial GridEx cybersecurity event this week, which simulated a combined physical and cyber attack on the Northeast's gas and electric system over the course of two days.
• This is the fifth GridEx event, and officials say this year's scenario was designed to highlight the utility sector's dependency on gas pipelines as well as the need for coordination among a diverse group of stakeholders.
• NERC officials say there is little chance that an attack on the bulk power system could cause widespread power outages, but the agency runs GridEx every two years so the utility sector can walk through response and recovery plans. More than 425 organizations participated this year.

Dive Insight:

NERC's simulated attack was focused on New York, officials told the media on Thursday, to highlight the extent to which connected systems are impacted and must respond together. Because GridEx is about recovery, it begins with an overwhelming attack.

For Consolidated Edison — which serves 3.5 million customers in the New York City area — that meant thousands of hypothetical outages. The key elements of the GridEx scenario for the utility included a loss of service to 8,000 gas customers in central Westchester and 3,000 in Lower Manhattan "due to a loss of supply," according to the utility. 

Subsequently, a substation explosion in White Plains caused 7,800 simulated electric outages.

The utility's information systems were attacked in the simulation, with customer information likely compromised. Adding insult to injury, ConEd's scenario included a water outage in the Union Square area that forced the utility out of its headquarters for weeks.

"The scenario was a combined physical and cyber attack that unfolds over the course of several weeks,"  NERC President and CEO Jim Robb said.

GridEx was scheduled to run Nov. 13 and 14 — information on final outcomes was not immediately available. 

NERC officials say they wanted to highlight the region's growing dependency on natural gas.

The Interstate Natural Gas Association of America participated in GridEx, along with a few of its member companies. The exercises help illustrate cross sector interdependencies, and to "create a roadmap for future incident coordination," Mike Isper, INGAA's director of security, reliability and resilience, told Utility Dive in a statement. 

Locating the outages in New York also forced stakeholders to address impacts on Wall Street and financial services while coordinating with Canadian counterparts.

NERC officials also highlighted the growing participation in GridEx among community-owned utilities. The number of public power organizations participating in GridEx doubled between 2017 and 2019. 

“Public power utilities are increasingly realizing that while they are typically smaller than their investor-owned brethren they are not immune to cyber and physical threats," American Public Power Association Senior Director of Cyber and Physical Security Services Nathan Mitchell told Utility Dive.

"I think the surge in participation shows that public power utilities are taking these threats seriously and standing up to the challenge of facing them," Mitchell said.

Each GridEx simulation has grown in size and complexity, attempting to address weaknesses that get exposed. The after-action report for GridEx IV, two years ago, concluded none of the utilities participating in the exercise turned to vendors for help or information.

This year, NERC says it took steps to ensure the electric sector would have to reach widely for help. And a table-top executive exercise included original equipment manufacturers, interstate and local gas pipelines and financial services companies.

'Cyber hygiene' is 1 key to utility security

"The supply chain issue is complex and hard to think about over time," said Tom Fanning, who co-chairs the Electricity Subsector Coordinating Council and is president and CEO of Southern Co. "Threat vectors change continually. What may be a good device today may change tomorrow."

Fanning said there must be a "process of cyber hygiene" where the industry works continuously on these issues.

NERC sets Critical Infrastructure Protection (CIP) standards to protect the bulk power system, and so far the U.S. electric sector has avoided significant impacts on grid operations from a cyberattack. Officials, asked about a March cyberattack on wind and solar assets, made the point that keeping systems up to date and in compliance with CIP standards is vital. 

A Denial of Service attack earlier this year impacted sPower's visibility into about 500 MW of wind and solar across California, Utah and Wyoming, though it did not take any generation offline. Attackers exploited a known vulnerability in an unpatched Cisco firewall, causing a series of reboots. According to NERC's Robb, the facilities were not subject to NERC standards because they were considered "low-impact facilities."

But had the facility been compliant with NERC standards, "the attacks would not have occurred," Robb said. "This was largely a lesson in staying current with supply chain issues."